Chapter 5: Reform the US Government’s Structure & Organization for Cyberspace

Although the government has taken necessary and significant steps to deter and disrupt threats from cyberspace, they remain insufficient to the scale of the problem. There needs to be greater collaboration between the public and private sectors in the defense of critical infrastructure and better integration in the planning, resourcing, and employment of government resources.

The following recommendations are intended to provide the US government with the strategic continuity and unity of effort necessary to support the other pillars and recommendations to achieve layered cyber deterrence and defending US infrastructure against significant cyberattacks.

STRATEGIC OBJECTIVE 1: ALIGN US GOVERNMENT STRATEGY WITH LAYERED CYBER DETERRENCE

This new national cyber strategy should reflect the strategic approach of layered cyber deterrence, emphasizing resilience and public-private collaboration, and including the concept of defend forward, to raise costs and lower benefits for malicious cyber activity. This approach will enable the US government to achieve speed and agility, a bias for action, and effectiveness in cyberspace.

Key Recommendation: The executive branch should issue an updated National Cyber Strategy

Enabling Recommendations:

Develop a Multitiered Signaling Strategy
- The logic of defend forward is missing an explicit discussion of signaling. To change adversary’s behaviors, it isn’t enough to simply counter their attacks, but rather the US must signal capability and resolve, as well as communicate how it seeks to change adversary behavior and shape the strategic environment.

Promulgate a New Declaratory Policy
- A declaratory policy is essential for deterrence because it can credibly convey resolve. The current declaratory policy regarding cyberspace currently is organized around a use-of-force threshold and reserves the right for the US to respond to a cyber attack in a time, place, and manner of its choosing. There are challenges with this current policy, including that it doesn’t sufficiently communicate resolve or articulate a compelling logic of consequences. As a result, the new declaratory policy should revolve around a use-of-force threshold, meaning that the US should publicly convey that it will respond using swift, costly, and transparent consequences against cyber activities, thus reinforcing the deterrence of strategic cyberattacks.

STRATEGIC OBJECTIVE 2: STREAMLINE CONGRESSIONAL OVERSIGHT AND AUTHORITY OVER CYBERSECURITY ISSUES
Responsibility for cyberspace is currently dispersed throughout Congress. By centralizing responsibility in the new House Permanent Select and Senate Select Committees on Cybersecurity, Congress will be empowered to provide coherent oversight to government strategy and activity in cyberspace.

Key Recommendation: Congress should create House Permanent Select and Senate Select Committees on Cybersecurity to consolidate budgetary and legislative jurisdiction over cybersecurity issues, as well as traditional oversight authority.

These committees would have legislative jurisdiction over the broad integration of systemic cybersecurity strategy and policy both within government and between the government and private sector. They would also have oversight responsibilities for executive branch responses to domestic and foregin cybersecurity threats, government organization or reorganization to deal with cybersecurity threats, the protection of federal networks, the confirmation of relevant Senate-confirmed cybersecurity officials, and the consolidation of federal reporting requirements for cyber initiatives and relevant data.

Enabling Recommendation:

Reestablish the Office of Technology Assessment (OTA)
- The OTA would advise both chambers on cyber and technology policy issues. Congress would benefit from the agility, depth, breadth, and objectivity of insight and analysis provided by an office focused on technology

STRATEGIC OBJECTIVE 3: REFORM THE EXECUTIVE BRANCH TO BE MORE AGILE AND EFFECTIVE IN CYBERSPACE
Many departments and agencies, with different responsibilities for and interests in securing cyberspace, compete for resources and power, resulting in conflicting efforts sometimes carried out as cross purposes. Therefore, more consolidated accountability for harmonizing the executive branch’s policies, budgets, and responsibilities in cyberspace is needed to achieve coherence in the planning, resourcing, and employing of government cyber resources.

Key Recommendation: Congress should establish a National Cyber Director (NCD), within the Executive Office of the President, who is Senate-confirmed and supported by the Office of the National Cyber Director. The NCD would serve as the President’s principal advisor for cybersecurity and associated emerging technology issues; the lead for national-level coordination for cyber strategy, policy, and defensive cyber operations; and the chief US representative and spokesperson on cybersecurity issues.

The NCD would not direct or manage day-to-day cybersecurity policy or the operations of any one federal agency, but instead will be responsible for the integration of cybersecurity and policy and operations across the executive branch.

Key Recommendation: Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) in its mission to ensure national resilience of critical infrastructure, to promote a more secure cyber ecosystem, and to serve as the central civilian cybersecurity authority to support federal, state, and local, and private-sector cybersecurity efforts.

Enabling Recommendations:

Codify and Strengthen the Cyber Threat Intelligence Integration Center (CTIIC)
- The CTIIC plays a critical role in generating a whole-of-government understanding of significant cyber threats affecting the US and could assist in providing analysis and coordination necessary for rapid and accurate attribution. However, CTIIC needs to be fully resourced to carry out the entire scope of its mission, including sufficient funding, manpower, and analytical resources to fully support federal departments and agencies in their operations.

Strengthen the FBI’s Cyber Mission and the National Cyber Investigative Joint Task Force
- Congress and the executive branch should take steps to ensure the FBI is properly resourced, specifically by enhancing investigative and analytical personnel, expanding technical capability, empowering interagency collaboration, and supporting joint operational resources.

STRATEGIC OBJECTIVE 4: RECRUIT, DEVELOP, AND RETAIN A STRONGER FEDERAL CYBER WORKFORCE

Key Recommendation: Congress and the executive branch should pass legislation and implement policies designed to better recruit, develop, and retain cyber talent while acting to deepen and diversify the pool of candidates for cyber work in the federal government

The challenge of achieving effective security and defense in cyberspace depends on people as much as it does technology or policy. Today there is a significant shortage in the cyber workforce. The shortages are driven by a need for personnel that have specific cybersecurity skills, but they are complicated by government hiring, training, and development pathways that are not well-suited to recruit and retain those personnel. SUggestions on how to improve this shortage include committing to recruiting beyond conventional pathways into government, providing policy and legislative tools to grow the cyber workforce, and develop and retain cybersecurity talent.

Enabling Recommendation:

Improve Cyber-Oriented Education
- It is crucial that schools teach students to value cybersecurity in their personal lives, as well as to start cultivating skills needed for a future in the industry, Additionally, the federal government should provide resources, tools, and incentives to encourage local decision makers in implementing improved cyber education in their school systems.